>> who will be talking on the diplomatic campaign in afghanistan and pakistan. the second one will be a couple weeks later december 4, wednesday. the keynote address will be by the senior advisor transnational

threat to projects and homeland security counterterrorism program. he will be speaking on treasuries war, the unleashing of a new era of financial warfare. one final reminder. when this panel concludes we have to clear the room just like we did yesterday so the hotel can set up for lunch about 50 minutes and then we'll come back in and start our lunch program. gives me great pleasure to introduce our moderator this morning, mary derosa, distinguished visitor from georgetown law. thank you. [applause] >> thank you, everybody. i'm very excited to be here as we have a really terrific panel. we are here to talk about cybersecurity, and how we address these significant and growing threat from criminals, hackers, terrorists, anarchists, and other nations who are spying on us, stealing from us,

intruding, disrupting and potentially attacking our private sector government infrastructure. i don't feel like i have to say very much about the threat, gives a lot of background, particularly in this crowd. not too many years ago, if you started talking about cyber, cybersecurity, most of the eyes in the room would have glazed over. and not that people didn't care about it but it was technology, didn't feel like the kind of national security issues we are used to dealing with. but now i suspect everyone here is paying a lot of attention to cyber and the issues because of the threats that we're facing have only increased and increased quickly.

and the efforts to address them are progressing. i think it's fair to say a little more slowly. so today we are very lucky to have a panel of people whose eyes have never glazed over on the topic of cyber, or probably anything else. and these people have been thinking about cyber intensely in many cases for many years way before it was cool. so really, the collective experience here and expertise is really impressive. we are going to focus this panel on the relationship between the u.s. government and the private sector in cybersecurity, what are the challenges, where have we made progress, where we are on the right track and where we might need to do some rethink in in those relationships. so let's get to it.

i'm going to introduce the panelists, and then we'll run this as a conversation. the panelists bios, i'm going to give you some information on the other lot more impressive stuff in them, so please read them in the materials. i'll start with leonard bailey. leonard is a special council for national security in the department of justice's computer crime and intellectual property section. he was also recently an associate deputy attorney general, and responsible in that capacity for managing criminal and national security cyber policy for the department of justice. he's had a long career in the justice department working on crime and cyber issues. leonard received a jd from yale law school and a ba from yale law school. steve chabinsky is senior vice president of legal affairs,

general counsel and chief risk officer of the internet technology firm crowdstrike. is also an adjunct faculty member at george washington university, and the cyber columnist for security magazine. prior to joining crowdstrike, steve was at the fbi for 17 years, culminating in his service as deputy assistant director in the fbi's cyber division. prior to that he organized and led the fbi's cyber intelligence program. he's also served in the office of director of national intelligence. he's a graduate of duke university and duke law school. laura donohue is a professor of law at georgetown law, and director of georgetown center of national sigir and the law. she writes on national security and counterterrorism law and the

united states and the united kingdom, including on emerging technologies. professor donohue has held fellowships at stanford law school center for constitutional law, stanford university center for international security and cooperation, and harvard university's john f. kennedy school of government where she was a fellow in the international security program as was the executive session for domestic preparedness. she received her a.b. in philosophy from dartmouth, her m.a. in peace studies from the university of ulster, her jd from stanford law school and a ph.d in history from the university of cambridge in england. wow. jim lewis is a senior fellow and director of technology and public policy at csis where he was nice enough to hire me i while back. at csis, he writes on technology and security, and international

economy. jim has authored more than 90 publications since coming to csis. he's an internationally recognized expert on cybersecurity, whose work includes the best selling securing cybersecurity for the 44th presidency. before joining csis, he worked at the departments of state and commerce as a foreign service officer, and as a member of the senior executive service. he received his ph.d from universittheuniversity of chica. and last but not least we have daniel sutherland, who is the associate general counsel for the national protection and -- national protection and programs directorate of the department of homeland security. in this capacity he is the primary legal adviser to the undersecretary for nppd nppd. he leads a team that provides legal services to the office of cybersecurity and communication. the office of infrastructure

protection, the office of biometric and identity management and the federal protective service. he previously served in a senior national intelligence service at the nctc, and prior to that he was at homeland security providing legal and policy advice to three secretaries of homeland security as the first officer for civil rights and civil liberties at the department. he started his federal career as a civil rights attorney at the u.s. department of justice, is a graduate of the university of louisville and the university of virginia school of law, and he's also an adjunct professor at pepperdine and george washington university. so, let's get started. i'm going to start, dan, with you. our topic today is the relationship between government and the private sector on cyber, a key element of that relationship is the effort to share information, to promote

sharing of information between the private sector and government, about the vulnerabilities, threats, and intrusions. can you talk about what from the dhs perspective, those efforts are trying to achieve and how they are working? >> good, thinking. i'll try. i'm going to describe some of the information sharing programs that my client administers, and that will hopefully set up the other panelists to talk about some specific approaches to those issues. i think information sharing is one of those terms that can make anybody's eyes glaze over. so i'm going to try to put it in plain english to the extent that it can, what these programs are about. dhs has very broad responsibilities and cyber, from the coast guard role in cyber, to cd and ice with electronic border searches, to the secret service investigating cybercrime. it's central to dhs cyber role

is the work that my client and the national protections and program director it does. it focuses on increasing the security and resilience of critical infrastructure, federal and non-federal for both physical and cyber threats making a connection really there. i know we're talk about private sector. let me briefly to you but what we do in the federal critical infrastructure because i think it will help in the discussion. our role there can be hands-on direct as we work with our colleagues and other federal agencies. we provide technical capabilities to allow other federal agencies to protect and secure their network. for example, we have a service called cdm, or continuous diagnostic mitigation which is a scanning program that allows them to diagnose vulnerabilities in the system, allows them to understand how the networks look and where vulnerabilities might lie. then we also have a capability that's referred to as einstein

chooses signatures or indicators of known malicious activity and when a signature is recognized it allows the networks to filter that so that malicious activity doesn't internetworks. information from both einstein and cdm then are gathered and fed back into the system so everyone is learning as we go through. and there's a parallel there i think what we were going to talk about in terms of information sharing. in terms of the private sector, how we partner with the private sector, we are working with people in the private sector to help them withstand attacks and recover from incidents. let me break that down just a little bit. we help companies understand the risks and manage their risks. for example, we provide bulletins with information about threats and vulnerabilities that we have use from a variety of sources and put these bulletins out publicly. you can find them on a website. they are broadly distributed.

we also have a suspect teams. we help companies assess their networks, make recommendations how they can improve their securities. that's pre-incident, left of the boom. second, when a company is a victim of an incident, dhs provides help in assessing the scope of that incident and advice and recommendations on mitigating the incident. and then finally, we think information about incidents, we dissected, understand it, analyze it and then push that information back out to others in the system. again there's this continuous learning cycle and information really has to be that kind of continuous learning cycle and i think provokes some of these issues we're talking about. i think it's helpful to think about, to understand the information sharing is not a monolithic concept, and that produces i think some the difficulty we hav have in comino grips with all of us. it may be obvious but i need to point out that there are

different types of information that we may want to share and for different purposes. there are different degrees of sensitivity in the information that we have. some classified, so i'm classified. and that, therefore, promotes a variety of restrictions. there are different rules for sharing, depending on who's doing the sharing and who's doing the receiving. i think we'll discuss that as we go along. so let me just finish by giving you kind of a spectrum of some of the information sharing programs that we're doing. there's a wide spectrum. first, we do work in the area of vulnerability alerts. we send bulletins to a broad range of people who get this information. as i said, it's even on a public website. the information could be already publicly available but not generally known, and the goal is to allow a broad range of entities to use that information in developing network security. on the next part of the spectrum

is more focused or more targeted information and more targeted relationship. in this context we often have actual written agreements between us and entity we are sharing with. in this context we share threat information, but we also taken a step further where we can do with the referred to as operational collaboration. so you're not going to sharing information but also sitting and working through issues. we have the national cybersecurity and communications integration center, the nccic which is an operations for where people have these agreements are able to sit and liaison and have a kind of operational collaboration. that bilateral sharing, the term they use, which is both back and forth, us government and private sector back and forth, and having multilateral if x. as it goes to private sector it's starting out. so the last part, and i'll finish it, in terms of the spectrum, broad public audience,

more tailored and their audience is a specific audience, program called enhanced cybersecurity services. this includes classified data. we've negotiated agreements with a select set of certified providers who have demonstrated the ability that they can handle and protect classified information. the information shared is more sensitive, obviously. under this program those companies are able to package that information and use it for a broader range of helping others and the private sector to protect their networks and security. so there's a range of information sharing programs, again, for a variety of purposes, with restrictions in data, and with different purposes that were trying to accomplish at the end. i hope that's kind of a good overview of some of these information sharing programs. >> perfect. thank you but i'm going to turn delivered and see if you can, from doj's perspective and your expense, add to that.

>> sure. so let me start by saying i submit the information sharing in the arena of cyber is both difficult and necessary. when i say that it is necessary, i say that it's necessary in a way that it may not be quite as necessary in other areas. what i mean by that is, when you're dealing wit with a cyber incident, determine first whether you have a cyber incident takes information. in other areas, for example, terrorism, you would open a window and you would see a bomb crater. he would seek some sort of carnage. they would be summon him to shut other problem that you do need to address and respond to. cyber is different. the best indicia of some sort of activity we have been cyber is communication. communications that are doing something or affecting the network in various ways. and it would so happened that in our legal regime, communications

are regulated, or access to them are regulated. necessarily. they touch on first amendment, fourth amendment issues, privacy concerns. and so you're necessarily deal with an environment in which you are trying to come as someone who's dealing with cybersecurity, gain access to protected data. so we need to get this information in order to determine whether something is happening, but it is in some ways by the force of law made more complex. the complexity is then -- i'll amplify on something dan was talking to her for a moment. this information sharing cuts across different entities. so you have sharing that has to happen him on private entities. high-end large the constraints that people speak of in that

area are largely things like antitrust concerns, although i must say we have difficulty talking to industry and identifying exactly what those antitrust concerns may be when they are action assuring cyber threat information which is what we're talking about. then, of course, you have sharing from the u.s. government to the private sector, and that's something day and was speaking to, a lot of product that's going out to the private sector in an effort to help them better protect their own networks. and then there is the effort to get information from the private sector so that the government is in a better posture to respond to and mitigate any incident that occurs. and, of course, that is the area where we find perhaps the greatest to the golden. that's where you have your fourth amendment concerns and again, the web of regulatory statutes that approach, the wire tap act, the statutes.

there are statutes that we have sent out there to regulate how the government gets information. in the cybersecurity space while we have attempted to figure out how to do legislation, this is a challenge. putting all this together and figuring how and when the statutes that normally operate give way in the interest of cybersecurity while at the same time protecting civil liberties and privacy. and that becomes a line drawn exercise which i think will be a push and pull for a little while still to get just right. i'm something of an optimist, and so i'm hoping we have made some headway in those discussions in at least identify certain issues. i think there are some issues that come out and have been teased out that relate to things like minimization and how that -- types of applications of information that's obtaining.

i will just finish by saying, i think really the difficulty in information sharing is the ability to reach into the soup of data that is content, not content, metadata. i mean, reaching into that suit and, one come extracting a good image of what it is that might be a hazard to deal with, and at the same time identifying what you need to do about that hazard. again, complex but very necessary. >> great. laura, leonard has raised some of the legal and privacy issues he sees with information sharing and i'm wondering if you could give your perspective on that and any concerns or additional thoughts you have on that? >> thanks very much. so, i'd like to broaden this just a little bit to address this question, which is looking at cybersecurity generally. there are more than 50 statutes already in place that deal with cybersecurity. the problem is that since 2002,

there hasn't been kind of a comprehensive cybersecurity bill that's successfully gone through congress. and the reason this matters is because there are many different aspects of cybersecurity that needs to be addressed. we talked a little bit about information sharing and along with that goes protection of the critical infrastructure, dan address. but there are also other huge issues on the table like reform, fisma, introduced in 2002. it's under pressure right now and being criticized because it focuses more on procedure and compliance than on risk analysis. it's expensive. there's a data deluge going on in terms of federal agencies. so they're expecting a 47% increase in data by 2015. there are concerns about fisma. there's concerns about the criminal realm. so we have seen proposals to deal with breaches, exposure of data as well as cybercrime. to our international efforts. there's emphasis on research and development. there's cybersecurity workforce

bills before congress. and the points to be made about all this legislation is, even for those of us who follow was fairly regularly, there have been more than 100 bills and three years. more than 100 bills introduced. what's interesting, and this goes to leverage point, in terms of starting to reach a consensus or least agreement on some of the issues, that number and you introduce is decreasing. in the 111th congress there were more than 60 bills introduced. in the 112th congress there were more than 40. and in the 113th congress there were over a dozen, right? so we have seen actual volume, thank goodness, starting to taper off little bit. but the reason why it hasn't been addressed yet, and there hasn't been broad agreement in part really turns on this information sharing and protection of critical infrastructure question. the our for concerns here. first is the legal barriers. leonard reference some of these. they are are a married a statutes in place right now that actually protect privacy and

would have to be create their seven have to be overcome for information sharing. they range from communications privacy to children's privacy, privacy of financial information, privacy of government collections, medical records, miscellaneous records and activities, confidentiality and so on. many statutes in place. many of these could actually be changed or amended, but then you are still left with the constitutional concerns that prevent. so their first amendment concerns about the protection of speech. associational privileges, political privileges related to that, anonymity and public space. there are very six fourth amendment issues that present with regard to both search and seizure, and perhaps we will talk later in the panel about how the fourth amendment concerns come down in light of emerging technologies and what really appears to be on the supreme court growing tension between trespass and those who

come down using application of the reason lex dictation of privacy. the fourth amendment concerns, fifth amendment, he had due process concerns that are raised here. young ninth amendment issues, so there's a number of constitutional issues that. there are in addition to the legal barriers the second major kind of tranche, concerns about liability and misuse of this information. so this tends to be another huge area where there are various proposals and we might get into these later in the panel. the third major area is the protection of trade secrets and other proprietary information. this tends to be a big sticking point. and, finally, there are institutional and cultural factors that relate to secrecy and confidentiality in terms of doing business. there are a number of solutions that have been considered for these different areas but so far we haven't had a comprehensive bill that has managed to make it through both houses. it doesn't look like we're going to have one this year or in the near future either.

>> okay. great. i want to turn to steve, and you obviously in your current capacity have a kind of window into the way the private sector views a lot of these issues. and maybe you can comment on the information sharing programs that we've been hearing about from the private perspective, sector perspective. what are the concerns to? i think of the predominant concern is a question of why we are sharing information. what is the strategic value of information sharing. there might be some tactical advantages here and there to the information sharing that you are today. but it's really on the margins. and so what we hear a lot, i would kind of equate it to selling vitamins, exercise programs and band-aids. nothing is wrong with any of those. i like the mall. i take my vitamins, don't

exercise as much as i should and use a band-aid when i get account. but we're not in that environment. -- when i get a cut. that are militaries and action organized crime groups. this is not a resolution for vitamins, exercise programs and band-aids. and, in fact, what you find is that it's really not a resolution for victims to constantly be playing defense and shoring up their systems. it's just not possible. it's never going to be possible for an agency or a corporation to become impenetrable to the vast number of threats that we see today in our inter- operable dynamic environment. it might be possible if we bunker down and didn't connect to other systems, and we retain static environments, but that's not the situation we are confronting here. and so what we're seeing is a failed strategy where our

security gets worse every year, because we been predominantly focused on vulnerability mitigation. we've been predominantly focused on information sharing, in which the government warns the private sector to kind of hide under the table, to lock the doors. and then when that doesn't work, there are more warnings. the private sector is looking at the government saying, i don't mind being warned, i like being warned that there's incoming, but i had hoped that while you are warning the actually going after the bad guys and taking them off the playing field. whether you're in school and you have these drills, that's a bomb drill in the old days, right? that's okay. i could hide under my desk for five minutes, five hours, maybe five days, but it's been 15 years so come on. this is not going to get better. and the problem is that we haven't put our resources into threat deterrence. in the real world we would never operate like we're operating in

cyber where we constantly victimized and we victimized the victims, right? until then they haven't done enough to protect themselves, cost of having information for protection that we see has very limited return on investment. at the end of the day if we don't change the playing field, threat deterrence, to make it so that the bad guys can't keep trying and trying and trying, right, with no negative consequences, this is the way it's going to end every time. and so we do need environments where information sharing is fostering a new strategic paradigm that focuses on better detection, early detection of the bad guys, better attribution, figure out who they are, and then real penalties. so that when the government actually knows who the bad guys are, they can do something about it. we can't be in a situation where the government has all the information it needs to say exactly what foreign country or countries are robbing our

industry blind, and then 10 years, 15 years later it's the same or worse situation. you cannot allow that environment to continue. and so we need a complete shift over threat deterrence and attribution does matter. penalties to meditate when you think about the real world we don't go around trying to become impenetrable. at our places of business we do have locks on doors, locks and windows, but after a while if there are break-ins we shifted to threat deterrence. we have alarms. we have cameras and those alarms and cameras do nothing to make the environment less than triple. what they do is they shift the burden away from the victim and they make information sharing about going after the bad guys. the alarm is for early detection. ..

vitamins, band-aids and the like but we are hemorrhaging right now. and it cannot be the case that when you come and see your place of business completely rated, maybe the integrity of your products or changed, you might not have availability for the first question is how do i clean this up? what is my management strategy? the question has to be why is someone coming after me and what are we going to do about that? i think to myself the godfather movie where you come home one day and find a horse head in

your bed and your immediate reaction is and how am i going to clean this up? that's what's happening here. it's quite preposterous. why is this happening and how are we going to change this? so, what i hope changes over the next few years is that we really need to stop further victimizing victims come increasing their cost to no metrics of success and start shifting towards threats deterrence models and the government an governance any that there will require. >> i had more questions about band-aids but i think maybe we should, you know, since steve has raised this very interesting and important topic -- i would like to get, leonard, your response and hear from jim and anyone else. >> much wisdom with what you

said. the one thing i would say is that i mentioned earlier it's hard because it is a multidisciplinary problem. it cuts across private sector, government, it's international. and i think that the challenge that we have understood in the last few years is we have to be able to walk and chew gum at the same time. so, why go we are doing all of the vulnerability litigation activities, we should also be dealing with the threat actors, moving those threats. we should be on the prevention side building safer, more secure software and hardware that doesn't invite intrusions, right clicks we should be able to on the back and mitigate and recover quicker because we aren't going to prevent every instance that happened. being from the enforcement agency in the department of justice, i would -- [inaudible]

the notion there would be more resources would be something we would be very much in favor of. but i would also say that we do in fact go after the actors. we enjoy greater success in the international realm. we are getting large-scale data breach actors and eastern european countries. we are gaining cooperation with countries in the prosecutions and also obtaining them for prosecution. so i guess the only thing i can take issue with is that there isn't a threat mitigation activity happening on the other side. there is much to be done. again because the complexity of networks and the way they work and the ability to get information in the international environment. but, that work is in fact occurring. i would be very much in favor of going after it in a more concerted way. the only thing i would toss out is we also do know as it was said that this does work.

there was a prosecution of alberto gonzales who was one of the most successful data preachers on the planet and still may hold that record convicted and sentenced to 20 years. but when he and his reign were taken off the line according to the verizon report, there was an international drop noticeable in the data breach activity, so we do know in fact going after the matters i would say we are doing that. i was looking that more. >> i would agree with you. >> i told mary knox to put me first and i'm kind of regretting it now. and frankly i don't do cybersecurity conferences anymore because for me it is a lot like groundhog day. think of the two levels of opponents into the alberto gonzales th they are the feasibe in a there are measures to defeat them. think of the high-level

opponents. they are 20 or 30 criminal groups largely in russia that have the fsb equivalent, pardon me, rushing intelligence service. they are unstoppable. there is nothing you can do. if they want to get and they are going to get in. they are going to be on your tail in 30 minutes. can you beat that? we have a hard set of opponents into different strategies for dealing with them. the u.s. has a strategy and it's really touching. i feel really glad. it has three parts. it has a diplomatic strategy that's been published by the white house and we are doing pretty well. some of what steve was talking about in the budapest convention on cyber crime. we have made good progress on the diplomatic side. we are in the snowden turbulence but i know we are going to talk more about the international

stuff later. on the military side we are doing quite well. we are one of the three best in the world. you can read or strategy. it's top secret but you can get it on the guardian website. [laughter] >> i tell people i don't work for the government any more but you're doing pretty well on the military side we have discovered surprisingly a shortage of resources. we don't have enough bodies to know how to do this and said there is an effort now to crank out the body. the place that we are cranking those on the domestic side and there is a whole lot of reasons for that. the main reason that was political gridlock and i think that you've heard that from all the panelists. this is our third constitutional crisis in the last century. and when we are in the little periods of unhappiness, nothing is going to get done. so congress isn't going to pass any legislation. the next congress probably won't

pass any legislation unless there is political change. so what do we do in the interim? we offer magical solutions. so information sharing is a magical solution. see the formula and then maybe it will be better. you don't want to say on cybersecurity i know it's a problem. i'm not going to do anything. but they will share information. i told you in 30 minutes you are going to be tough with insurance quex so, when you talk to people, what has changed? it's getting attention, so talk about your eyes glazing over. i talked to an investment firm in new york a little while ago and the ceos that i really don't want to know and i don't care. if i make my mark into the money i'm expecting i don't care if someone else makes money off of it, to mac. he got excited. but, you have the sea level

attention and that will change things. information sharing is a good topic to think about some of the obstacles we have been developing a private response. and i'm not holding up the government as an example or anything at the moment. there is a real reluctance to share information among the companies and you can work. there was an fcc ruling last year promoted by senator rockefeller that basically said that people -- when something bad happens to people of course the response from the company was to find bad. it turns out nothing bad has ever happened. so, i personally am relieved to hear that. the issues that come up on legitimate issues for companies and the ones you are familiar with day our liability and risk. there is a risk to the shareholder value if you report a significant loss of intellectual property, significant loss of financial data. now how do i know that these occurred? because the nsa spies on other people.

and so we see what the other people have collected from the american companies. of course it prevents us from seeing here is the big bank. they lost this amount of money. we saw it but we can't say anything. so, the public debate is misinformed in some ways because of the scale is not established that precisely. there are legal obstacles, information you have heard about that. i don't know about the antitrust. all the companies say antitrust. i don't know how true it is. there are few sectors that have made some progress and i would look at financial services and telecom. they made progress because it is in their business interest to do better at cybersecurity. other places, very little progress. so the energetic 12-year-old could probably be a good cyber attacker. i've had some unusual experiences and the one that was the most unusual for me i was in a big international conference,

and windows may have to shut down -- october 17 in asia and for the first time, i saw people expressing pity for the united states. we were not the sphere of superpower anymore. they were feeling sorry for us. i think while we are in this political situation isn't going to change. and until the political change occurs, we are going to see progress on cybersecurity or information sharing. outside of the same as the executive branch can do without the authority. the only caveat to that would be if there is some sort of a unavoidably disastrous event, not a cyber pearl harbor, please. but some sort of a big events maevent maybe involving wall std something like the 2003 blackout and you will see the congress react. but until that time, the classic example is the bill says the

cispa put together by robert. it's a good bill. there's a matching bill in the senate but is speaking developed by senator feinstein and i think senator campbell us. the odds of the bill passing even though it would remove some obstacles to the information sharing coffee odds of it passing is a good bill. we needed it has a good chance. that might be a good way to end only overview of cybersecurity. >> kind of depressed right now the laura -- spinnaker don't think it's going to go anywhere. it's seen as a magic bullet and this is as steve noted it's kind of victimizing the victims in some sense. where i disagree is about congress that is really what's going on that we are in an unhappy period and the reason i disagree is that there are some very serious legal and constitutional concerns.

for instance take steve's suggestion about the capabilities of the pdb 20 that jim just mentioned. we have some very difficult legal questions about the covert activities of 1947 national security act and under what conditions the exceptions in the act are dealing with intelligence collection or traditional military activity either planned or operational. the extent to which it falls within that so if it doesn't fall in the covert action than what happens in congress qwex how does the authorization have to go? i think there are some difficult questions there. with regard to the fourth amendment issues and privacy concerns there are some very difficult questions that have to do with once you have order to collect information and the verdict of the government on behalf of the government, you are subject to the fourth amendment concerns so the fourth amendment issues are quite significant and have to be addressed. then there is an elephant in the room that we haven't addressed

which is yesterday morning's headline which is the nsa is collecting information on private information, and i think there is a healthy level of mistrust between industry and the government and the idea that information sharing can somehow take place in the silo universe where nothing wrong with beat him without exposing the companies to liability or hurting them in some way. i think this ignores the considerable concern that certainly yahoo! and google and others are expressing about information sharing with the government. >> the one thing i would add to that is i don't think we have a problem in the offensive operations because we've carry out offensive operations. what is wrong with these people, why haven't they published it yet quacks that we have carried out a sense of operations. some of it you may have heard of. i was talking to one of the people responsible inside what is the legal thing to do. he said we tried it under title x that we would do it under

title 50. we don't have a problem carrying out the offensive operations. that said there is no such thing as cyber deterrence so there are issues that congress needs to work on and most of them are domestic but in terms of the military capabilities i'm not cynical about congress. i'm cynical about this congress in terms of our military capabilities, the military isn't waiting for happy words from capitol hill. >> leonard, i think he wanted td to respond. and then dan, i will see if there was anything else you wanted to add to the discussion. >> i had a brief point to make. i think when i say that cyber is hard having done this for a while i think one of the reasons it is particularly hard i'm sitting in a room with highly educated people, abstract and difficult thoughts but i would

wager that for most of you everything that happens behind your keyboard is magic. [laughter] what is that information exactly quacks what is the computer doing while you are operating having a conversation on privacy and information sharing in this context that is fact based and rational is very difficult when there are different parties with different interests and have that discussion it is very difficult. but the fact you have a baseline community who don't exactly understand what we are working with makes it extremely difficult so much of this discussion about privacy information is being had and a mediated environment. we need people to tell us whether the information that we are leaking is important or not and whether it is private or n

not. but there are other aspects of this. particularly in the information sharing bucket where we are trying to figure out what information can or should be shared, getting the baseline of what that information is, just what it is is very difficult in the tech phobic world. >> i have trouble seeing you down there but do you have anything to add on the privacy issues and the legal concerns that have been raised? >> it started with dubai have something to contribute to this discussion and i hope this is a point that this audience would appreciate. my title as associate general counsel, not the director of

strategy and policy or in ppp so the think tanks and people can debate this our role is to help the clients figure out the way to move forward here. in terms of privacy protection and information sharing, the information cornerstone has to be trust and confidence in one another. as a privacy protection is absolutely critical and it has to be built into the whole project. i can talk about that a little bit more but underlining this whole conversation has got to be a level of trust and confidence and belief in one another that comes back to privacy protection that we think is the key elements that dhs can bring to the table.

>> i want to look more what can the private sector play and can the private sector play an active role but before i do that, just this week the nist released the standards and technology released its preliminary cybersecurity framework and the public seeking commentcomment so this is anothr element of the domestic strategies of the government working with the private sector on the cybersecurity. i wanted to maybe get from you to start the framework is in part of a response to a failure of legislation last year. do you think it is a useful effort and, you know, where do

you see -- where do you see it going? >> it's interesting because at the end of the debate, when you speak to the individual senators they understand the problem and would like to do the right thing. a few of them are ideological. we know that from the budget debate that some of them want to do something and they felt a lot of regret that they failed to pass a comprehensive bill. the bill had a lot of problems and i know that as well as anyone for a whole set of reasons. but behind the scenes after the two boats failed, there was a big effort with senator mccain and others to try to resuscitate something and they were unable to do that. as part of the reaction the white house in august, early august decided it would put out an executive order that would use existing authority over the regulatory agency he has control over and hopefully influence

other regulatory agencies to set standards for what adequate cybersecurity would look like. so that's a good plan. the paragraph that you want to look at in the executive order is paragraph number ten this is one nist develops its framework for regulatory agency should compare it to the existing regulation and see if they are adequate. please do this by 2015. so we are not on what we would call a quick cycle but it's probably the best we can do. we have to hope that the revolutionary guard is patient. what does it mean to? i was talking to the nist people who are working on it at the beginning of the process and i said how much have you actually written and they said only 12,000 pages. so what do you do?

do you open it up whenever there is a crisis? the framework attempts are a very concise document. it's only 44 pages long and it's best to think of it even now that nist does things is an annotated bibliography of steps you can take to improve your network security. it doesn't actually tell you how to do but it's like getting a menu in a restaurant and you get to pick that maybe the draft will change. one of the implications for this audience have been two major changes this year that while we shape the landscape. the first is international. the second is the nist framework that inadvertently and much to the shock and horror creates a positive buddy of providing due diligence. and if you're not exercising due

diligence, you should be liable. and that is the path we are on. this has been a goal for a decade for many in the field. how do you get companies to say this is what you must do? we are at the point that we can say duties and you will reduce the risk by 80% or more in if you aren't doing them why? so due diligence, liability that is the implication of the framework. right now nist has pretty much done -- there's a handover into the dhs will get to implement this in some fashion. >> laura and then dan. >> executive order 1636 was introduced and now rockefeller introduced legislation in july that would make the statutory requirement. i'm assuming from your remarks that you are opposed to that. >> i got a note saying please don't trash us in the press because we took out all the hard parts of the bill.

our bills aren't going to pass this congress they took out the part that they put the executive order in. i admire senator rockefeller. he has been pushing this since he was the chairman of the select committee on intelligence. he's doing a great job. he knows what to do and he's trying to do it but i think judging from the remarks that got him from his staff he doesn't think there is a chance to get any bill passed they had to strip out the parts that would make the executive order. >> where do things stand in the framework and how do you think this will help. >> i think that jim has described it very well in terms of the timing. the framework is out for public comment. people were supposed to comments by december and there've been a number of workshops building over time so it's not surprising in a private industry independent will be issued

finally in february. but if i could expand on it and add another angle to it in this environment congress isn't able to pass legislation to try to encourage federal agencies to do what we could under the current authorities nist developing its framework is one way that we could make a contribution essentially to establish a set of best practices that would allow people to see where they need to be shooting to. at the same time another part of the executive order including the dhs to try to think through a certain set of incentives that could be developed to encourage adoption of that framework so it's been an absence of regulation how can we incentivize that type of behavior? and that was issued by and

developed by the white house report on it sentenced in a very thought-provoking area. i will mention some of the areas that were suggested. the problem with this being in the ability of the federal agencies to do and much would still require congressional actiocongressionalaction that ts such as building a cybersecurity insurance framework industry so that underwriting practices would drive this. there is a preference basically meaning if there is a technical assistance for certain companies to benefit from by adopting the cybersecurity framework and this framework that they would have added some level of preference for that liability streamlining and other incentives there is an interesting complement how we incentivize people to get their.

>> i'm a huge champion of nist. i think they are incredible at what they do. not a day goes by that we are not taking advantage of something that came out of nist. but the task they were given here doesn't end very well for the security -- >> for the reasons that we've already described. you look at the executive order and with a mandate is and it talks about regulation, regulatory. it doesn't talk about going after the bad guys you have to tell them that they are coming. then it talks about best practices. this is best practice in a dynamic environment where the best practice today is to feed it tomorrow by the enemy who pickets and shifts so what we have seen in the area of security if you are focused and again this goes back to focus

its not that good this labor hygiene isn't good. it's in the name. it's good. it's that it's ultimately ineffective or effective only at the margins, no more effective than saying i'm going to have some good best practices for immortality. it doesn't ultimately end well and so what you are seeing here -- [laughter] is for the private sector it is the law of diminishing and negative returns that happen. the first problem is every dollar that is being spent on security is not getting the same value it used to. at the beginning you have sort of the base layers and you are getting more than your dollars worth and it's going to be you are spending a dollar to get a dollar but that is diminishing the return. we start building the best practice and the enemies overtake that which beams the efforts increased the problem so

we are spending dollars and making the problem worse which is hard for good people to accept when good people that smart people put a lot of effort into something they can't believe that it's making the problem worse and would be the same as that for example somebody said we have a good way to keep bad people out of this hotel. let's build a 20-foot brick wall because our understanding is the bad guys can't jump that high so we spent about $2 million to build about brick wall it works a week or two independent bad guy spends $50 buys a 30-foot ladder and the government pats itself on the back for warning us the landscape has changed and has a 30-foot ladder that can overtake your best practice so you know what you need to do now for your best practice? a 40-foot brick wall. you see where this is going soon as inexpensive $3 million for

the foundational problems and the cost of inflation i'm going to be prepared for the governments warning about the 50-foot ladder that only cost the bad guy $100 so what you are seeing on the constant focus having the victims spend more in an environment that is dynamic where you really can't keep up with it and the dollars we are spending ar our making the probs worse you would forgive the private sector for wondering how this ends. but nist come into this is why i love them, nist recognized this issue and when they sought public comment, they actually asked for comment about metrics of what the success looks like in its environment. they said there's an actual majority of success but that was a problem that they were dealing with. so, for example if i am getting scammed, my system is being scanned for intrusion, a thousand times a minute and i could walk 999 of those each

minute but one gets through each minute of the day that completely penetrates my system and exposes everything t to confidentiality and availability harms. is that a successful security system? your answer to that matters because there is no best practice that is going to get anywhere near that but it's going to cost a heck of a lot and i am completely on his side that we have to go on the front row and do it better than ever before. or legislative proposals have to focus on that and we have to start thinking about what the role of the government is. this might be where you are heading that we've talked a lot about the fourth amendment and privacy concerns. on the government centric view of this problem but the private sector through its own technologies and its own market forces, through its own transnational organizations including nongovernmental organizations can help define those rules for their own groups

that on this system and on this environment this is what we have consented to. these are the rules of the road. we have to think about what the government'governments role to n helping the private sector had a professionalized industry level and for the nongovernmental organizations which already controlled a lot of the governments and how we improve security in that model. we shift towards threats deterrence. as part of the element of the national power that we have all grown to view as government centric condit nomadic information, military, economic and law enforcement the private sector has some of those capabilities as well using the government institutions whether it is to better enable them to do civil losses and a tradition

that feeds into the law enforcement system, whether it is a name and shame campaign that can impact the economy of the nationstate and viable companies that are benefiting from stolen intellectual property we have to start thinking that way. >> i think that you have something to add to that? >> i think you're right because all of this sounds like government centric. there are five approaches that have been taken. new institutions are needed, new procedures are needed to get this. you have to limit the disclosure of certain information to other entities. the privacy concerns but all of these are governmental focused. none of them transfer the power agency to private industry and empower them to defend themselves against such a threat. >> we could have a lot of fun talking about private sector but

a google representative said they had th have the same capabs as nsa. i said that's cool i didn't know that you had nuclear submarines in the collection satellites. but put that aside for a moment. don't underestimate your opponent, please. and don't underestimate your capability to deal with those opponents because they are not bound by our lot. in th a metrics point it's a god one that ceos have different metrics. so when you go in with a set of miniature x. you know you are not going to get a sale. that is the angle that you have to take your beginning to see them do this calculation of risk and the question i usually ask now is does your board have a risk committee and most of them say yes and i said i as the race committee considers cyber risk

and the answer on that one is mixed so that is one of the measures we can use to see how this is changing is the board thinking about risk when it comes to cyberspace different metrics and that is why this has been a hard problem. >> one brief point. i've always been briefed in supportive of my colleague here. one thing in discussing this issue is what we see in a cyber at this point as it is just another extension nation of activities of crime that of activities that are constant that in reality we are not going to eliminate. it's not going to disappear from other countries and neither is crime. from an agency that is dedicated to minimizing the as much as

possible, but no one i think actually says it will be eliminated. i think in this environment we are dealing with the threat mitigation so we are going to mitigate the threat. vulnerability mitigation. we are not going to eliminate the vulnerability unfortunately. the one thing i have on that is another area we have agreed for example you don't drive cars when they can explode if it is unacceptable. having claims that kind of tumble frotumbled from the sky s unacceptable. having computer hardware that is immediately subject to our vulnerable to intrusion is unacceptable. actually, it's not. we have accepted that as a model. we accept that there are updates provided to our computers because they in fact are perhaps inherently subject to some vulnerability.

so i only make that point to say that we are in an environment where we have all these problems and as much as the world we can simply eliminate them or give to the place we can eliminate them, i think that realistically we are going to be dealing with strategies to mitigate these problems. >> before we open up to questions i want to get a little more specific on what the private sector should be able to do and maybe if you or anyone else can kind of jump in on this because there has been a lot of discussion of actions the private sector could do in its own infrastructure are moving outside of its infrastructure to try to get back. it is this a part of what you're talking about as a greater private sector role in deterrence and i guess from

others are there reactions to that specifically? >> some of these issues are discussed in a way that is very evenhanded to address the issu issues. >> i have no financial interest in this, so i actually can see that. i would rather start on the highest end of that question where the private sector should be and touched upon some of the comments that i made earlier, which again would require a sort of paradigm shift. a paradigm shift in which we try to realize that the internet and technologies from a security perspective have differentiations. it's not the case that the top-secret computer that i used

to use for the government should be the very same computer with the very same protocols that i could buy into any electronics store. that makes no sense and it has obvious consequences in terms of moving data between the top-secret in secret and unclassified networks and we heard a couple of years ago how the consequence on one occasion led to the don't know if little is the right word but multiply infected with malware which not only has an effect on confidentiality but it could have actually destroyed our information-based. so the first thing is to try to figure out what the technological solutions are and that's going to be a private sector challenge. it might be funded by the government but by and large as an r&d opportunity to come up with hardware, software and protocols that differentiate between security and privacy models i think that there might actually be a happy coincidence

here in which some of the areas we need the greatest security happenetab into the same areas t require the least amount of privacy which is interesting if you think and certainly an opportunity for where we should start. when you think about the power grid and the environment, a very low or should i say nonexistent requirement for anonymity and you should be known to the biometric level of who you are. so, what we see is that the technologies that have been developed in the interoperability really have focused after that to the internet, the first consideration was interoperability. on the bandwidth to focus was on speed and after that the focus of the engineering community was on privacy so we have the best minds in the world to focus on

the attribution so i think of that in the first level where can we have better systems that are interoperable, internationally got promoted environments for detection and attribution that are consistent with our civil liberties and privacy requirements. one of the problems we have coming up with international agreements between the government starting with the cyber crime convention in europe which to this day can't agree between the allied countries for law enforcement purposes. for the way that doesn't include major players in the space. it could be resolved by the private sector in the government model that would say if you want to operate in this platform with this hardware internationally that the government model actually has private sector

cyber emergency readiness team's death camp transport and locates the data and stabilize the situation so you got the detection and attribution that can be used for a penalty on whomever the adversary is that did that. it might be blocking some people out of a system or turning it over to the government. it may be civil lawsuits or engaging in name and shame campaign's. whatever the issue is, the model that we are looking to words may not be in an agreement on the government fundamentally but in international agreements between solar communities of interest in the private sector. i was often reminded of the government and now in the private sector when i'm speaking with a company, they are likely in place in excess of 150 countries. if i could bring ten

transnational corporations together, i have a good international strategy. so that's the second thing. third is to think through the government's models are. we are looking at non- governmental organizations that are handling the domain issues looking at internet protocol and how that's managed but you don't have the similar nongovernmental organization that is actually formed and federated for the purpose of security and that is what we can consider so how does that leave us without the larger strategic vision? what you are seeing now depending on where they are we saw an internet company and security company abroad that actually broke into a china pla infrastructure in hong kong getting in and looking for the infrastructure in the publishing that for the security of the

community saying here is stealing your data. to look at that from the perspective of the united states, looking from that vision point is you broke into the system. you didn't be strolling in the damage it but that is an unauthorized access and you may have gone through that system into publishing a committed all sorts of other harms including violating surveillance and traffic statutes. depending on your worldview of whether that is the case now or not, the dialogue has to be whether or not that should be the case and how those types of activities if they lead to the positive goals that we want how do you do that in coordination and cooperation under the guidance of nationstates and the lawful systems and what comes of those? there is a debate on the active defense site certainly i've never been in favor and i

strongly oppose anything that looks like vigilante is some getting out into getting a flash as a pure matter of presents, but i think that there is a lot that doesn't fall into that category and when people speak about active defense, there is a group that immediately drives towards escalatory models and i don't know if they think that is what is likely to happen or they are just throwing that into them it is to disturb the rest of the conversation in a disingenuous way. but regardless, there are things that can happen right now that are possibilities for detection and attribution that are both on the network and off network. a lot of the bad guys are operating on networks that have no protection of passwords where they are pulling information back. they are keeping it there until they go back and obtain it for further use and i've never heard

anyone say if there is an open access point that has your information but you can't go and get it back. but the area that i think is most for consideration by the group of lawyers and from that policy perspective is where does the real world vie worldview of self-defense and defense of property and life have its cyber analyzed. we really haven't in the past scene that areas where something would be traditionally or technically unlawful when it's done in and on proportionately as justified and that would be true of someone who steals someone's property running down the street if someone were to say are you able to tackle somebody and hold them down on the street for a period left 15 minutes you would get the answer that would be assault, battery and kidnapping. if i put in context and said

they were making off with property that there was no law enforcement present and the purpose was to get them in place you would say of course that can be done and that would be justified. a lot of areas the private sector is considering now is what is the ability to stabilize the situation to restrain certain evidence in place with three straight and reengage the government unless the private sector acted would be met with irreparable harm. >> i want to get to the audience but i think we have a couple of people that want to jump in on this. >> there are different levels of protection depending what the domain is but to say you have no privacy interest in the electricity there is a case on point with thermal imaging you can't collect information from a

home that indicates high use of growth lights for marijuana use because that is under the fourth amendment. if it would indicate you can figure this out from all that information i think would be open to challenge. the fourth amendment protects persons of that information against searches you have to have a probable cause and supported by the affirmation described particularly. >> that is directly addressed to me. i never suggested that there wasn't a privacy consideration. i was talking about the electric power generating grid itself as having high security. i am talking about the actual grid, not smart grid coming to the home. i don't challenge that in any way. >> i'm going to talk really fast you know i'm not. i have a different experience

from most people in the united states that i've been conducting with the permission of the government regular talks with the chinese ministry of state security and the people's liberation army about cybersecurity. the participants include u.s. government officials. one of the reasons we worry about escalation in the calculation and interpretation is because the chinese have brought it up. at various times they have said things like there is no such thing as the private sector. companies are acting at your behest. of course that's why they say it. they've also said if we show up and ask for fbi cooperation, if we find someone doing something and we bring a case to the fbi will you cooperate they said yes we will cooperate and investigating and perhaps prosecuting that company something to bear in mind the legal framework for this internationally is changing. the group of government experts

in the un without a paper that was endorsed by the secretary-general and the general assembly that said international law applies to cyberspace and the national sovereignty applies to cyberspace. the un charter applies to cyberspace. there are borders i borders in . get rid of that old.com stuff taken by the residents of the territory. this is the international standard. think about how the world will change in the next three years as people begin to move down this path of moving cyberspace from being this vision of the borderless comments to just another extension of the national framework for international relations and national security that we have now. >> why don't we see if we have any questions.

>> university of north carolina. trying to combine some of the points that were made around the presidential directive, the planes of the sort of band data being insufficient and how we need to do to her would have been addressed in large part by the president actions that authorize offensive and defensive but often cyber operations and the headlines ran with there being a target that was associated with this revelation the president authorized. i don't know if there is any kind of constitutional issues that it was just by the president alone but regardless, that would seem to be exactly to the point of there being a

failure of the deterrence by the government. so it's not -- maybe this gets into the issues i don't understand what's happening in my computer in terms of very abstract but it sounds like a cyber effect operation, the target list, the government doing something directly to detour and if not, why not. is there something about the mechanics that don't be quite to the actual deterrence? >> of the debate hasn't caught up to the larger international debate. >> discussion in the u.s. hasn't caught up to where the international discussion areas and in part that is because the normal diplomatic stuff is classified. it would be useful if the state

department was a little more transparent. i think they are trying that the issueissue is delivered directlw people are beginning to interpret the conflict as they apply to cyberspace. the first is can redefine what an actual attack is? yes and it's consistent with a definition that we have and this grows out of the experience with others there has to be violence and damage and casualties and death. there are areas of ambiguity. everyone admits that there's a general sense this is an attack that would've justified the military response if there is a desire to see this carried out in the provisions of the un charter and things apply into self-defense. most of what we have seen doesn't qualify as an attack. from the perspective of the international community it is not an attack therefore military response is not justified and we have tremendous literary

capabilities that they ar but tt going to deter the crime and they didn't deter the crime or espionage of the cold war why are we surprised now? >> if i could pull the thread on that because the cyber offensive capability is the nationstate ability regardless of what the incoming threat is. this is our ability that could be against a bombing. it's not necessarily the trick to a cyber threat. when i talk about deterrence although that could be one piece and with limited potential limited set of circumstances as a part of a greater mix of military power that we might have, i try to put that into the wider context of all of the elements of national power so that is part of that, but you still have to diplomatic law-enforcement private sector capability that combines a

deterrent effect so it's one small aspect to answer your question and one that is limited in its availability for use. spinnaker just as a sourcing note you might want to look at the un experts were the work that will become public out of the organization for the security cooperation in europe. >> thank you for a wonderful, wonderful panel. so, as you know in groundhog day bill murray does become a better person and gets the girl. so there is a good ending. [laughter] melissa hathaway gave a presentation about her perspective of where we are on the cyber for the bush

administration and the obama administration and one of the core authors of the comprehensive cyber security initiative which many of you are familiar with and her sort of plea was she has been at this in 2,008 like many of us and she has been kind of taken aback by the lack of an international strategy that of the united states seem to be pursuing into country game for what you have to say and what you think of as a group as you raise the issue you raised its like the quiet negotiations jim has been involved in the what do you see as the best model for an international set of standards or norms or convention that we should be heading towards as part of the information sharing you are acting all over the world under a range of information sharing issues not just in the united states. i would be curious to see what the brainpower on the panel thinks. and i do hope that you will look at the cyber playbook as many

issues that you raised are discussed for the committee. >> i'm very positive about this. remember keith alexander is an army general so every morning he recites the army and the key line is i will never accept defeat. so i will never quit. he says that it's true toothpaste durables on his chin because he is singing it. we are going to win this one but it's going to take a lot of time. it would be on the diplomatic side. the terrain is changing for a couple of reasons. the u.s. has experienced a range of setbacks and the influence is diminished. we do have a diplomatic strategy. it's not necessarily entirely public, but it is available at the white house website. >> i've been trying to remember why we did this and i went back

to these issues in the clinton white house and for some reason, we split them. we have a secure public network group and the e-commerce working group. it was one of the two crossover people. why did we split them? who knows. but you now see issues of cyber security and internet governance with overlapping considerably and is a part of that, you have the control over content issues and you have the issue of transporter data .-dot helped by the window in revelation so every country has the same reaction. we did, to mac. most countries that is their opening position so that is kind of the debate we are having now. how do you manage your in a period of transition moving to a world where cyberspace will be treated like every other, like

disease or whatever. how you manage the transition so that we don't lose the key values and yet we could have a more stable and secure environment. so i do think we have a strategy. you could say perhaps it isn't public enough, but the larger political influence i will make it more difficult to achieve. >> so, in light of the recent legislations with encryption, the standard-setting, the high level of cynicism overseas it's not just a brazilian visit that's canceled. there's very serious opposition to what the united states has done overseas. i was in cambridge at the time it's remarkable the extent of anger towards the united states and we often forget that when we are here domestically but the revelations have been a significant setback to the diplomatic efforts abroad. i also think it is too early to see how that will pan out.

if it's going to pan out that the united states is able to lead from behind and that we could regain a leadership position but i think we will see a significant fallout for some time to come. >> i think like jim on this issue i'm an optimist. timtime is on our side. the development of the international norms will follow. so when they start to negotiate it was the countries with a certain amount of technological gain already. i think what we are seeing is some of the norms that have driven the other doctrinal advancements will become more possible. when someone brings up letters of mar mark in this context but there are certain types of international attitudes towards

hacking and intruding upon networks that likely will gain purchase and make it easier to perhaps create international doctrine. ..

there's actually time a cyberdistress. so even before we get our internationals prodigies in-line as melissa was talking about yesterday, do you have any ideas going forward on how to get these desperately sufficient stakeholders on the same page? that to me seems critical before we can get everything else going. >> i don't like talking so much. first of all, the privacy community try to conflate the because it's the republican chairman who said he gotten more letters on soap than any other issue last year. >> can you just save what so but is? stop online piracy act. i was about to make a bad joke. i won't.

so it was an act that would have diverted people who were typing in give me free version of mickey mouse. it would have diverted them to some website that said stop coming or violating federal law. it messed with the dns. a bad idea. conflating them -- this is sort of how things work in a democracy because we are not politically difficult situation, maybe it's moving a little more slowly. but i do think we will bring people around. when you talk on the hill, five years ago we probably all had this experience. five years ago they would take out of my way, kid. why are you bothering me with the sabres of? now they get it. we are on a path to fix these things. you will have significant objections, though. one of the things we are not

dealing with one economic think tank hack, what i say is snowden is not accidental. it's planned, and nonstate actor and warfare against the u.s. so we have a new conflict. were not doing so well in dealing with it right now. these are things we have to overcome. i'm positive we can overcome them. >> i'll just pick up the part of your question related to developing levels of trust and credibility between all the players in terms of privacy protections. there are some models to procedure. i have a personal or unique respect on this. i was appointed as the president in april 2003 to be the first officer for civil rights and civil liberties at the department of homeland security. it was a first. this had never happened in this position never existed in any government agent eve before.

on the same day, secretary appoint a chief privacy officer. we headed out together in this uncharted world, trying to figure out what to make of it and how to develop some traction. try to figure out how to get through the policy world to develop some traction. i have left the department of security in the last few months. i've been really struck by the structure of privacy that has been built-in. i walked past a cubicle three times a day and does so in so privacy officer. the privacy impact assessment here the idea of having a privacy impact assessment within the organization assess the privacy impacts of your program was foreign to us in april 2003, foreign. i remember my colleague introducing this idea for the

first time. and now if you look at our website, we've got probably a dozen privacy impact assessment just on cyberrelated programs. we have five unmanned same program itself. these folks to training, cyberspecific training. outreach, advisory councils. so i think -- my point is i'm optimistic that there are models we can build upon in the silver liberty and levels of confidence. we need to adapt those across government and a lot of private entities to have that kind of embedded appreciation for these issues. there are ways to proceed there. >> everybody on the panel -- leonard, steven m. or i'll have something to contribute. >> very brief on that question. this for me comes back to the point i made about information of people understanding to elegy. that is to proselytes on that issue as much as i can because i do believe the earth has not

figured out in front of the public on this. they have business concerns that will drive them back from being that the bleeding manage at doing certain things. one of the frustrations we face, working closely with our colleagues at dhs, for example, several years ago when people were very, very can turn that there would be system that would be filtering their e-mails, trying to find a malicious coder thinks that shouldn't be there. we spent a lot of time asking people come in to you have an e-mail account? you know that spam is not getting to you? how do you think it is not getting to you? there was a lack of appreciation that the very technology server talking about where things are broadly implemented in the private sector and used as just baseline common sense security measures. but there's a lack of appreciation for that. i do think that part of it is trying to develop a more tech

savvy world, where people understand the way the information is out lamented. an appreciation for why it is different part of this whole enterprise are implementing us, including government. >> this actually gives me an opportunity to an unhappy know happy note for my perspective. despite certain pitfalls that you see here and there over time, the government and private sector are working remarkably well together every day. even some of the players he mentioned daily are working with law enforcement, with the government. those might not make the headlines, but they are happening all the time. the program started in 1996 had 55,000 people today meeting throughout the country, building the type of stress that this story that doesn't change on the event here they are. the task for his working with

the defense industrial base together with nsa's information assurance director of the csp program goes on and on. so my main point is that you're in the government work well together. we align for the right goals. i don't see a problem in that regard. >> laura. >> the outcome i want to respond to dance points. there is a real danger here that we think by checking the box to address the underlying concern. i'm thinking about privacy. we have the oversight or an. no resources, no money. the idea we have one, great. but what can i do? we have the records notices come up with exceptions for national security are routinely used by dhs and others but through biometric program to the privacy act is almost 40 years old and no longer does what it was set to do. we have a foia with exceptions

for national security that are routinely used to deny even request for legal reasoning as to why somebody has engaged in certain activity. now we've seen with judge reggie walton's release, judge eakin in august of this year that you can release the code reasoning without providing too much information about the underlying issues. what we found out is a secret court has secretly carved out the supreme court itself has never recognized. so when you say look, we are doing a lot of privacy, it is hard not to be too cynical about that when you see there's this underlying deficit. there is a problem in another population if you're trying to get buy-in from them. there's a certain amount of cynicism and concern about the level to which democratic governments can continue if you don't know what is happening in your name and what your elected representatives are doing.

>> okay. we have about two minutes left. if somebody has an easy question. [laughter] >> hi, i hope it's an easy question. it's actually two. one there may not be an answer to yet another is how the liability issue that was mentioned with regard to the new framework they pay out. i wanted to ask also about the broad community of hackers, many of who see themselves as security researchers, who reports early days when when i find vulnerabilities. i would like to know what the panel thinks of that community in their place for sort of a crowd sourcing, if you will, of vulnerabilities. what do you think? >> who wants to jump in on that? >> take the financial sector as an example. there's about 20 different laws

that relate to customers privacy information. in terms of liability, you have graham leach bliley, 1999, the credit reporting act. you've got the electronic fund act. protect information against government access. you have consumer acts. there's all different ways in which liability is incurred it have to be addressed is some sort sort of a long-term comprehensive cybersecurity package. >> on the second portion, i'll give you descriptive and normative answer. descriptively, those people are breaking the law. 10 thirtieths computer fraud and abuse act. that's my provision for self-help or forward doing it really to help everyone else. there's not anything recognized in the law currently that would assist those people in behaving or having their acts rendered lawful. normatively, i personally think there are concerns about opening

up the landscape to say different parties determine themselves. what most they can take, what data they can retrieve, what costs they can impose on others when it's taken from their network. anyone who suggests to you that conduct team and intrusion and perhaps retrieving or deleting information a network that you're unfamiliar with this simple and without risk is probably selling you some thing. there are great risks adoring not. the question is if we build that into the law, are we actually creating a more or more less resilient, secure cyberspace? many of us feel it's perhaps an open door to a less secure and stable environment. >> chen says he has a -- he might just be tiny one.

one thing to track as the cost of buying these sorts of vulnerabilities. the guys who did it tell me the has gone up a sickly about 50 k. for a new one and i was 100 k. there's more competition. the people complain the most are researchers in china is the mps comes to them and says you know to the state to give it to us for free at discounts of other chinese guys trying to move to singapore. interesting marketeer not that visible to you. i think it's going to become easier. think of where we were on the panel knows this. we know so much more than we knew five years ago. we are getting to the point where you will note to the company that's had a significant problem. here are things you could have done to reduce risk. why were you doing them? when that happens, you'll start to see the collection. >> alright. i hope everybody will join me in thanking the terrific panel.

[applause] >> thank you. an administrative amount meant if you would clear the room, as he did yesterday, you can make her personal belongings on your seat and we will be back together in 45 minutes at 1:00. [inaudible conversations] >> present obama laid the traditional reits are in day ceremonies at arlington national ceremony today. >> after tour after tour after tour in iraq and afghanistan. this generation, the 9/11 generation has met every mission we have asked of them.

today we can say that because of their heroic service, the core of al qaeda is on the path to defeat. our nation is more secure in our homeland is safer. there are men and women like the soldiers come assumed to be better in another few months ago. chukar he hoped. to curry deployed to iraq twice and survived not one, but two, three separate ied explosions. when she was well enough, she deployed again. this time to afghanistan, where she was often the only woman at a forward operating base. she proudly wears the combat action badge in today's chukar is committed to helping other wounded warriors recover from the trials of war. hoping the troops, she said, is

when i am all about. my fellow americans, that's what we should be all about. our work is more urgent than ever because this chapter of war is coming to an end. soon one of the first burning survived in an 12 years ago, brigadier general daniel you will lead his camp pendleton marines as they become one of the last major groups of marines to deploy in this war. and over the coming months, more of our troops will come home. this venture a troop levels in afghanistan will be down to 34th rouson. by this time next year, the transition to ask him a security will be nearly complete. the longest war in american history will end.

>> mrs. kennedy is very well known at this tile icon, admiration of fashion sense. mrs. kennedy put a lot of thought in her wardrobe when she was representing the country both at the white house and while traveling abroad. she would think about what colors would mean something to the country i'm about to visit. so for her visit to canada, she chose this cardan as a gesture restocked for the red of the canadian maple leaf. i really admire the thought that mrs. kennedy put into her wardrobe. she also knew the advantage of choosing a color or style that would make her stand out in a crowd.

>> up next, the commerce department farm on investment. the panel includes michael froman and the ceos of caterpillar ntm w. north america, and the transatlantic trade and investment partnership in a free-trade pact with the asia-pacific region. black >> good morning, everyone. secretary kerry, thank you or much for that excellent, excellent speech and thank you for joining us on the second day of our summit. we had a great day yesterday with president obama, as the kurds and panelists and all the networking and matchmaking opportunities that went on. today promises to be even better. so let's get dirty. i am very pleased to announce the start of our first panel

entitled, why select the u.s.a. using the u.s. as an export platform. we have a great lineup, including my friend u.s. trade representative michael froman, will house some of tennessee, blood ludwig willisch, ceo of bmw north america and doug oberhelman, ceo of caterpillar. but i'm going to let the moderator go into a more detail on each of our panels. so let me introduce who will moderate today's panel. neil irwin is a "washington post" columnist and economic editor of a widely read blog in the post. at the wall while, you can get the post news on and analysis. neil is an author who has covered the federal reserve and let the post coverage of the financial crisis.

ladies and gentlemen, please give a warm welcome to our moderator, neil irwin. [applause] >> thanks so much. we heard from the secretary we've been through an area in which the small piecemeal things to which individual countries. now we are in a moment were big overarching trade agreements are negotiated across both oceans with europe and the partnership. with great panel to discuss these things. first, bill haslam is from a state that has succeeded on the world stage as an exporter. pockmarked another of america's great success stories is caterpillar, the giant exporter

of mining and construction equipments. doug oberhelman is the ceo with us today. [applause] caterpillars a great story of an american company of exports to the world. we also have the leader of the great european country that makes a great deal of stuff in the united states and we are proud to have -- under this all over again, ludwig willisch, ceo of bmw north america is still with us. [applause] the man who's negotiating these trade agreements on both sides of the atlantic tonight dates, the u.s. trade rep is ambassador michael froman. [applause] were going to start with a few comments from each panelist. governor, we'll start with you. >> thank you. it's not to be here. by the governor tennessee for three years. one thing people ask you is what

have you learned. the answer is a whole lot. one other quick things you learn is this, international trade agreements directly impact the job of the state governor. when i started running like i said several years ago, but certainly would have been one of the key issues on my horizon. it is definitely true. let me give you a little context. in tennessee, were proud of the fact that we still make things. they make a lot make a lot of automobiles. we make a lot of furniture, which people thought has gone from being produced in the u.s. we had a company just last week announced a removing jobs from china back to tennessee to produce things. they make a lot of medical supplies. i can go on and on. we are proud of the fact we make things. as you see from some of my comments, the ability to make and sell those things is directly impacted by foreign agreements. in context, we export europe about a $.3 billion a year, about 2 billion to china.

penny was talking about foreign direct investment in the u.s. in tennessee we have about 880 different companies located in tennessee, largely led by japanese companies. came to tennessee 30 plus years ago and a lot of automotive industry suppliers has sprung up around them. she said there is one point that in million americans working in manufacturing jobs. in tennessee, even though were about 2% of the population, we make up 6% or 7% of folks in manufacturing this nest of foreign ownership. we are proud of the fact that the four years running we been laid in state strengths. we are part of the fact we have the largest cargo hub in the u.s. and the second-largest in the world due to a small company called fedex, which happens to located in memphis that we

enjoyed the advantage of. we have four international export development not this in the u.k., germany, mexico and china. tennessee exporters are estimated to grow if the tariff treaty how things to be taught to bow. we think our experts to your poker about 35%. close to $2 billion would be a date with that agreement would be passed. we ranked second in the nation for the manufacturing jobs created over the last year. first in the southeast and per capita income growth and gdp for the last 12 months in the southeast in the top 10 in the country. interestingly, we ranked second -- where the second-leading state for medical equipment supply export. about 11% of the nations exported medical equipment happens out of tennessee and even though 2% of the

population. as in most business numbers like that, there is a recent fedex dominates in that business. in medical equipment, if you need a coming at it right then. having fedex is a hub in memphis is great. let me give an example or three large companies that export out of tennessee and why it's important and widely tariff treaties we talk about our particular portman. upper east tennessee has about 7000 employees. it took global headquarters. they export about $1.5 billion a year. if pettitte said trudy is passed, that would increase chemical sales for exports about a hundred million dollars a year to europe. we think eastman would get their share of that. nissan is the headquarters for nissan and the americas in their plant in tennessee is their largest in the western hemisphere. about 14% of the vehicles that they produce are exported.

smith and nephew is one of the medical equipment suppliers we talked about in memphis and the value of their worth is about a billion and a southern medtronic and much medical equipment suppliers. on a lighter note we have few other things. we exploit this brown liquid that people seem to know no matter where i go by the name of jack daniel's. i say hi in the governor of tennessee. i matter what country they kojak daniels, dolly parton, we got it. we have some other nice things we export. were fairly well known for. not just country. i sweeter now come on make 300 million m&ms every day. unilever announced baha'is untruth and in tennessee. with its chemicals, autos, sugar, we have you covered. before he turned over to the stakes we talk about in terms of free trade agreement and the impact. soon after coming into office on

the hobby was a cannot locate an suv plant somewhere. it's about a $1.3 billion investment. they ended up locating them in mexico. ceos decide they will tell you there's a lot of reasons for governors when it locates understated because of incredible sales of the the governor did. because someone else can wear lots of reasons why went somewhere else. at least one of the reasons here was the terrace to import -- to export from the u.s. 10% to europe on a 30 to brazil. we are relatively confident one of the reasons that $1.3 billion a that went to mexico was because of the tariff agreements. we think full implementation would increase tennessee auto x berths to europe by about 900 million. the panelists from bmw can talk a lot about the added cost of that and why that is true. a few numbers to wrap up with. countries we have free trade

agreements with. our per capita exports are 16 times the countries where free trade agreements as those that we don't. after nafta, our experts to mexico and that the times to canada three times after the agreement was stuck with chili, our exports to chile went up 10 times our experts are chemical equipment must tell you with repeated previously set. i'll come back to the point and made with. as a governor, were not involved. we don't debate them in the house. those treaties have incredible impact on the things we do. look forward to discussing it more. >> we have an hour. i'm hoping to hear you pitch from locating in tennessee sometimes in the next hour. >> yeah, thank you.

governors come in thank you for a great review. we have a fairly strong presence in nashville with our financial services business there, 700 employees. the big business and no one is happy and really likes tennessee for lots of reasons. >> can you say it one more time? >> i'm often, can really compete for the u.s. on a level playing field basis with everyone else said why don't we build anything? in fact, we felt a lot here and it's time it came from athens, georgia last evening because yesterday we cut the ribbon on a brand-new greenfield factory 850,000 square feet. 1400 people strong when it's fully operational at the end of next year. these will be small bulldozers and small excavators that were formally only produced in japan. we brought those to the united states for several reasons. one, we can compete from